On 12/08/2011 10:12 AM, Hans Schillstrom wrote:
Hi While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ? From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400 and HMARK in PREROUTING with prio -150 I was expecting that the reasaembled packet whould reach HMARK not the fragments. (Debug print from hmark) HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1) HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1) IPv4 do reassm. the packets not IPv6...
Yeah, IPv6 currently only passes the defragmented packet through conntrack, then associates the conntrack information with the individual fragments and passes those on. I'll post patches for IPv6 NAT which will change this to behave similar to IPv4 soon. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
